fixes #31: ability to delete users (for admins)

2017-02-12 21:45:42 +01:00 · 2017-02-12 21:45:42 +01:00 · d8e6a8cd5b
commit d8e6a8cd5b
parent 2f6a97e215
3 changed files with 19 additions and 5 deletions
--- a/ibt2.py
+++ b/ibt2.py
@ -479,7 +479,14 @@ class UsersHandler(BaseHandler):
        if id_ is None:
            return self.build_error(status=404, message='unable to access the resource')
        if not self.has_permission(id_):
-            return
+            return self.build_error(status=401, message='insufficient permissions: must be admin')
+        if id_ == self.current_user:
+            return self.build_error(status=401, message='unable to delete the current user; ask an admin')
+        doc = self.db.getOne(self.collection, {'_id': id_})
+        if not doc:
+            return self.build_error(status=404, message='unable to access the resource')
+        if doc.get('username') == 'admin':
+            return self.build_error(status=401, message='unable to delete the admin user')
        howMany = self.db.delete(self.collection, id_)
        if id_ in self._users_cache:
            del self._users_cache[id_]
--- a/monco.py
+++ b/monco.py
@ -296,8 +296,8 @@ class Monco(object):
        :param force: force the deletion of all documents, when `_id_or_query` is empty
        :type force: bool

-        :returns: how many documents were removed
-        :rtype: int
+        :returns: dictionary with the number or removed documents
+        :rtype: dict
        """
        if not _id_or_query and not force:
            return
--- a/src/Users.vue
+++ b/src/Users.vue
@ -10,6 +10,7 @@
                        <md-table-row>
                            <md-table-head>Username</md-table-head>
                            <md-table-head>Email</md-table-head>
+                            <md-table-head v-if="loggedInUser.isAdmin">Delete</md-table-head>
                        </md-table-row>
                    </md-table-header>
                    <md-table-body>
@ -22,6 +23,11 @@
                            <md-table-cell>
                                {{user.email}}
                            </md-table-cell>
+                            <md-table-cell v-if="loggedInUser.isAdmin">
+                                <md-button class="md-icon-button" @click="deleteUser(user._id)">
+                                    <md-icon>delete</md-icon>
+                                </md-button>
+                            </md-table-cell>
                        </md-table-row>
                    </md-table-body>
                </md-table>
@ -71,11 +77,12 @@ export default {
        },

        deleteUser(userId) {
-            this.usersUrl.update({id: userId}).then((response) => {
+            this.usersUrl.delete({id: userId}).then((response) => {
                return response.json();
            }, (response) => {
-                this.$refs.dialogObj.show({text: 'unable to delete the user'});
+                this.$refs.dialogObj.show({text: 'unable to delete the user: ' + response.body.message});
            }).then((data) => {
+                this.getUsers();
            });
        }
    },